• SuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers.
• 
  
• SuperShell's obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware's installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware's redundancy and persistence in ensuring successful deployment.
• Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency. 

 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers

• On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.
• Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.
• Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.
• IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.
• Customization: ShellBot is highly customizable, with variants like "LiGhT’s Modded perlbot v2" offering different capabilities and attack methods tailored by various threat actors.

 
Download. Email me if you need the password scheme.